cyber security

Do we need a treaty for cyber warfare? Interview with Nicholas Lloyd

Air Commodore Nicholas Lloyd recently departed his role as CIO for the Ministry of Defence (MoD)’s Permanent Joint Headquarters, which effectively placed him in charge of information operations for all UK military activity abroad. In February, he left the MoD to join Maersk as Deputy CISO. At Cyber Security Connect UK in Monaco, Lloyd spoke to E&T about how an increasingly multipolar world is influencing cyber hostilities, and why the world needs to agree upon cyber norms.

The concept of all hackers being bored or malicious basement dwellers has been out of date for years. Today, the most dangerous cyber actors are those who have the resources and protection of a country at their disposal.

“I think it’s easy to see cyber as a series of discrete and isolated actors,” said Lloyd. “The reality is that it’s a spectrum from one end to the other and the more worrying end of the spectrum is where you get a combination of states and other actors: terrorists, organised crime. The combination of these things gives greater freedom for those in cyberspace than they would otherwise be afforded.”

In October 2018, the UK government for the first time pointed its finger directly at the GRU – the Russian military intelligence service – accusing it of having carried out four major cyber attacks, including on the US Democratic Party and a small UK TV network. While widespread public awareness and concern about state-backed cyber hostilities have only emerged in the past couple of years, electronic warfare in its various forms has been under way for decades.

The nature of electronic and cyber hostilities, Lloyd explains, is strongly influenced by the broader distribution of economic and military strength between world powers.

“We’ve probably spent the last decade or so heavily focused on countering terrorism and insurgency. I think what we’re seeing at the moment is that we’re emerging from that era. It’s not that there aren’t still violent extremists out there, but we’re starting to see the dominance of a multipolar world, and states competing with each other, which is now becoming more dominant than the threats of terrorism,” he said. “What we’re seeing is a combination of the capability to do something and the intent to use it.”

Russia is facing serious demographic problems associated with eventual economic decline. Lloyd sees Russia as being “at the peak of its power and wanting to secure it and influence as it goes into the future”; as a result, Russia’s cyber operations tend to be highly disruptive and not always covert. Lloyd explains that this is a way of messaging displeasure with the direction of Western powers, such as Nato and the EU.

Countries booming in the globalised world, however, are much less likely to be disruptive to the global markets they depend upon for prosperity. The behaviour in cyberspace of China, which is growing into an economic powerhouse with a large population and great military strength, is instead motivated by a desire for even more rapid growth. “To maintain stability internally, they probably need to continue their current growth […] you need to be constantly delivering and expanding commercially in a competitive way, so it’s not unusual therefore to see accusations against China of [intellectual] property theft because that’s one way of making sure that your economy develops at a rapid pace,” Lloyd said.

Countries like North Korea and Iran – which have been subject to crippling sanctions and which cannot match the traditional military strength of Nato allies – turn to cyber attacks to gain access to intellectual property and steal international currencies, including cryptocurrencies. A typical example of this sort of disruptive behaviour is the international WannaCry ransomware attack of May 2017, which US, UK and Australian authorities traced back to Pyongyang-backed actors.

“I think all of us would look at the US in terms of its military power and be a little bit awestruck,” Lloyd said. “It is a very large nation with a very large and capable armed forces, and therefore it’s not surprising to think that anybody who feels that they want to compete would want to find a way of levelling the playing field and therefore look for an advantage in something that is not necessarily conventional military [strength]. So you can see the attractiveness of cyber as a way of levelling the playing field and getting some relative advantage.”

The other key attraction of states acting through cyber means is that this is a field in which competition, confrontation and conflict is not restricted by international agreements like the Geneva Convention. Compared with conventional forms of confrontation – such as sanctions or air strikes – there is a stark lack of accountability for governments ordering cyber attacks on their rivals.

Lloyd called for an “across the board” governmental approach to cyber hostilities which accounts for their broad reach, and their deep entanglement with conventional warfare. States typically fuse diplomatic, economic, and informational efforts with military efforts to bring about changes in behaviour and it is a folly to see cyber as independent from other spheres of warfare. He believes that the point countries pass the boundary between cyber confrontation and cyber warfare is simply the point at which other forms of warfare are also happening, although the world is still some way from formalising this as a rule.

Reaching the point where all major powers agree on an international treaty for cyber warfare will require all of them to experience the costs of cyber hostilities, beginning with being explicitly condemned by other governments for their actions. Agreeing upon norms is vital, he believes; while he is wary of “alarmist” speculation, he says that serious harm could be caused by cyber attacks on basic utilities like water. These will only become more sophisticated and damaging in the highly-connected industry of the future.

“It’s important that we start developing norms in terms of cyber. In those other environments there are norms established; there are laws that govern activity in those spaces even in war,” Lloyd said. “We would all benefit from a set of norms and behaviours turned into something like a treaty for behaviour in cyber space because it’s not quite been codified at the moment. And I think as part of that process you’ll find naturally much greater clarity over whether you’re just in competition or confrontation.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles